Whitelist query params with VCL


#1

I’ve read about Boltsort helping improve caching by sorting the query params, is there something akin to this that will filter params to a given whitelist? (ideally with means of regex matching)

This way we can prevent someone simply adding v=<a_number_here> to the end of the query params to force a cache miss…


#2

Hi Ryan,

There isn’t a specific query whitelisting function. This is a request on our feature list. However, you can whitelist URL parameters using VCL in the following manner:

  • Have a list of query parameters that should be accepted

  • Parse them into headers

Example: 

set req.http.X-Param_xxx = regsub(req.url, ".*[&|?](xxx=[^&]*).*", "\1");
  • Then strip query parameters from URL path
Example: 

set req.http.X-URL = req.url.path
  • Rebuild the URL with the accepted query parameters
Example:

set req.url = req.http.X-URL req.http.X-Param_xxx ...;

Let me know if this helps.

Best


#3

For future reference (we saw this page from searching) - Check out here: https://docs.fastly.com/guides/vcl/query-string-manipulation-vcl-features

There is functionality that does this more cleanly now.


#4

I use the following in vcl_recv to remove any UTM or gclid parameters:

import querystring;

/* remove client-side tracking parameters from querystring */
if (req.url ~ "\?") {
    set req.url = querystring.clean(req.url);
    set req.url = querystring.regfilter(req.url, "utm_[a-z]+|gclid");
    set req.url = querystring.sort(req.url);
}